BBC bought botnet

The British Broadcasting Corporation bought its own botnet. What a silly thing to do.
Written by Tom Espiner, Contributor

The British Broadcasting Corporation bought its own botnet. What a silly thing to do.

Using 22,000 computers that had already been infected, the BBC bought software that enabled it to control the botnet. It spammed itself and by prior agreement launched an attack against security firm Prev-X. I can't believe they could have been so stupid.

Legally, the Beeb is on very shaky ground, according to Pinsent Masons senior associate Struan Robertson. Speaking to me on Thursday, Robertson said that in his opinion Auntie had broken the law.

"I think it's a breach of the Computer Misuse Act," said Robertson. "It looks to me like an offence under Section 1, which deals with unauthorised access."

It doesn't matter that the spam emails were sent to BBC accounts or that the distributed denial of service attack against Prev-X was pre-arranged, said Robertson. The Beeb acquired a means of controlling a botnet, which, in Robertson's opinion, is an offence.

Computer security expert Richard Clayton wrote on the Crypto mailing list that he too thought it was a section 1 offence, and that "doubtless the "Click" programme makers will be handing themselves in, to save the time of overworked [police] officers of going out to White City to find them..."

The Met Police told me on Thursday that it had talked to the BBC.

"The Met police have spoken to the BBC in relation to a news report by BBC Click," said a Met Police statement. "Advice has been given and no further action will be taken at this stage."

I wonder what the "at this stage" bit means. Normally the police will investigate a crime because of criteria which include whether a complaint has been made, and/or whether it is in the public interest to investigate.

I suspect whether further action will be taken will very much depend on whether any, or a proportion of, the 22,000 affected people make a complaint to the Met.

Quite aside from the potential illegality of what the BBC did, there is also the potential damage to its reputation, which is deservedly very good. How could a world class broadcaster allow its staff to control a botnet? It doesn't matter where the infected PCs are, it's a very deeply silly thing to have done, and I suspect the BBC doesn't want to be thought of as being deeply silly.

Editorial standards